MatthewVance / unbound-docker

Unbound DNS Server Docker Image
MIT License
585 stars 142 forks source link

DNS64 module missing #80

Open buraglio opened 3 years ago

buraglio commented 3 years ago

When attempting to use this docker image as a DNS64 resolver the following errors are thrown:

root@dockerhost:/data/docker/volumes/etc-unbound# docker-compose up unbound1
Starting unbound1 ... done
Attaching to unbound1
unbound1      | /opt/unbound/etc/unbound/unbound.conf:10: error: syntax error
unbound1      | read /opt/unbound/etc/unbound/unbound.conf failed: 1 errors in configuration file
unbound1      | [1631294280] unbound[1:0] fatal error: Could not read config file: /opt/unbound/etc/unbound/unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf

It appears as if the DNS64 module is not compiled in. It would be a great addition to this docker image, any chance you could add it?

relevant configuration in unbound.conf is

module-config: "dns64 validator iterator"
dns64-prefix: 64:FF9B::/96 

When removed, the unbound instance works great.

MatthewVance commented 2 years ago

I'm not sure how to include that module. I thought it would be a compile option, but I'm not seeing it. This is the output of ./configure -h for Unbound 1.15.0:

`configure' configures unbound 1.15.0 to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/unbound]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-checking       Enable warnings, asserts, makefile-dependencies
  --enable-debug          same as enable-checking
  --disable-flto          Disable link-time optimization (gcc specific option)
  --enable-pie            Enable Position-Independent Executable (eg. to fully
                          benefit from ASLR, small performance penalty)
  --enable-relro-now      Enable full relocation binding at load-time (RELRO
                          NOW, to protect GOT and .dtor areas)
  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-static[=PKGS]  build static libraries [default=yes]
  --enable-fast-install[=PKGS]
                          optimize for fast installation [default=yes]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --disable-rpath         disable hardcoded rpath (default=enabled)
  --disable-largefile     omit support for large files
  --enable-systemd        compile with systemd support
  --enable-alloc-checks   enable to memory allocation statistics, for debug
                          purposes
  --enable-alloc-lite     enable for lightweight alloc assertions, for debug
                          purposes
  --enable-alloc-nonregional
                          enable nonregional allocs, slow but exposes regional
                          allocations to other memory purifiers, for debug
                          purposes
  --disable-swig-version-check
                          Disable swig version check to build python modules
                          with older swig even though that is unreliable
  --disable-sha1          Disable SHA1 RRSIG support, does not disable nsec3
                          support
  --disable-sha2          Disable SHA256 and SHA512 RRSIG support
  --enable-subnet         Enable client subnet
  --disable-gost          Disable GOST support
  --disable-ecdsa         Disable ECDSA support
  --disable-dsa           Disable DSA support
  --disable-ed25519       Disable ED25519 support
  --disable-ed448         Disable ED448 support
  --enable-event-api      Enable (experimental) pluggable event base
                          libunbound API installed to unbound-event.h
  --enable-tfo-client     Enable TCP Fast Open for client mode
  --enable-tfo-server     Enable TCP Fast Open for server mode
  --enable-static-exe     enable to compile executables statically against
                          (event) uninstalled libs, for debug purposes
  --enable-fully-static   enable to compile fully static
  --enable-lock-checks    enable to check lock and unlock calls, for debug
                          purposes
  --enable-allsymbols     export all symbols from libunbound and link binaries
                          to it, smaller install size but libunbound export
                          table is polluted by internal symbols
  --enable-dnstap         Enable dnstap support (requires protobuf-c)
  --enable-dnscrypt       Enable dnscrypt support (requires libsodium)
  --enable-cachedb        enable cachedb module that can use external cache
                          storage
  --enable-ipsecmod       Enable ipsecmod module that facilitates
                          opportunistic IPsec
  --enable-ipset          enable ipset module
  --disable-explicit-port-randomisation
                          disable explicit source port randomisation and rely
                          on the kernel to provide random source ports
  --enable-linux-ip-local-port-range
                          Define this to enable use of
                          /proc/sys/net/ipv4/ip_local_port_range as a default
                          outgoing port range. This is only for the libunbound
                          on Linux and does not affect unbound resolving
                          daemon itself. This may severely limit the number of
                          available outgoing ports and thus decrease
                          randomness. Define this only when the target system
                          restricts (e.g. some of SELinux enabled
                          distributions) the use of non-ephemeral ports.

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-conf-file=path   Pathname to the Unbound configuration file
  --with-run-dir=path     set default directory to chdir to (by default dir
                          part of cfg file)
  --with-chroot-dir=path  set default directory to chroot to (by default same
                          as run-dir)
  --with-share-dir=path   set default directory with shared data (by default
                          same as share/unbound)
  --with-pidfile=filename set default pathname to unbound pidfile (default
                          run-dir/unbound.pid)
  --with-rootkey-file=filename
                          set default pathname to root key file (default
                          run-dir/root.key). This file is read and written.
  --with-rootcert-file=filename
                          set default pathname to root update certificate file
                          (default run-dir/icannbundle.pem). This file need
                          not exist if you are content with the builtin.
  --with-username=user    set default user that unbound changes to (default
                          user is unbound)
  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                          both]
  --with-aix-soname=aix|svr4|both
                          shared library versioning (aka "SONAME") variant to
                          provide on AIX, [default=aix].
  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
  --with-sysroot[=DIR]    Search for dependent libraries within DIR (or the
                          compiler's sysroot if not specified).
  --with-pthreads         use pthreads library, or --without-pthreads to
                          disable threading support.
  --with-solaris-threads  use solaris native thread library.
  --with-syslog-facility=LOCAL0 - LOCAL7
                          set SYSLOG_FACILITY, default DAEMON
  --with-dynlibmodule     build dynamic library module, or
                          --without-dynlibmodule to disable it. (default=no)
  --with-pyunbound        build PyUnbound, or --without-pyunbound to skip it.
                          (default=no)
  --with-pythonmodule     build Python module, or --without-pythonmodule to
                          disable script engine. (default=no)
  --with-nss=path         use libnss instead of openssl, installed at path.
  --with-nettle=path      use libnettle as crypto library, installed at path.
  --with-ssl=pathname     enable SSL (will check /usr/local/ssl /usr/lib/ssl
                          /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw
                          /usr or specify like /usr/include/openssl11)
  --with-libbsd           Use portable libbsd functions
  --with-deprecate-rsa-1024
                          Deprecate RSA 1024 bit length, makes that an
                          unsupported key, for use when OpenSSL FIPS refuses
                          1024 bit verification
  --with-libevent=pathname
                          use libevent (will check /usr/local /opt/local
                          /usr/lib /usr/pkg /usr/sfw /usr or you can specify
                          an explicit path). Slower, but allows use of large
                          outgoing port ranges.
  --with-libexpat=path    specify explicit path for libexpat.
  --with-libhiredis=path  specify explicit path for libhiredis.
  --with-libnghttp2=path  specify explicit path for libnghttp2.
  --with-dnstap-socket-path=pathname
                          set default dnstap socket path
  --with-protobuf-c=path  Path where protobuf-c is installed, for dnstap
  --with-libsodium=path   Path where libsodium is installed, for dnscrypt
  --with-libmnl=path      specify explicit path for libmnl.
  --with-libunbound-only  do not build daemon and tool programs

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor
  YACC        The `Yet Another Compiler Compiler' implementation to use.
              Defaults to the first program found out of: `bison -y', `byacc',
              `yacc'.
  YFLAGS      The list of arguments that will be passed by default to $YACC.
              This script will default YFLAGS to the empty string to avoid a
              default value of `-d' given by some make applications.
  LT_SYS_LIBRARY_PATH
              User-defined run-time library search path.
  PKG_CONFIG  path to pkg-config utility
  PKG_CONFIG_PATH
              directories to add to pkg-config's search path
  PKG_CONFIG_LIBDIR
              path overriding pkg-config's built-in search path
  SYSTEMD_CFLAGS
              C compiler flags for SYSTEMD, overriding pkg-config
  SYSTEMD_LIBS
              linker flags for SYSTEMD, overriding pkg-config
  SYSTEMD_DAEMON_CFLAGS
              C compiler flags for SYSTEMD_DAEMON, overriding pkg-config
  SYSTEMD_DAEMON_LIBS
              linker flags for SYSTEMD_DAEMON, overriding pkg-config
  PYTHON_VERSION
              The installed Python version to use, for example '2.3'. This
              string will be appended to the Python interpreter canonical
              name.

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
buraglio commented 2 years ago

I did some digging on this as well and it looked to me like it was a default. I saw some references to it in older versions of unbound, but it works with the standard install in packaged ubuntu debs. I am fairly unfamiliar with building docker images, but I know linux and unbound well enough, and am happy to help test if that is useful.

MatthewVance commented 2 years ago

That would be great. I can handle the Docker part.

You may be able to tell from the package management system what Ubuntu included in the package to support Unbound. I wonder if this is a missing Linux package in the image rather than a compile time flag.

I didn’t have much like finding info about this in the Unbound docs.

On Feb 14, 2022, at 3:55 PM, Nick Buraglio @.***> wrote:

 I did some digging on this as well and it looked to me like it was a default. I saw some references to it in older versions of unbound, but it works with the standard install in packaged ubuntu debs. I am fairly unfamiliar with building docker images, but I know linux and unbound well enough, and am happy to help test if that is useful.

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you commented.

buraglio commented 2 years ago

Yes, this is why I am exercising this kind of thing as much as possible. The more exposure these codepaths get, the better.

mxmartins commented 2 years ago

I have the latest version of unbound running on a variety of environments.... This docker container, as in this comparison, I'm using a Raspberry Pi 4B (8GB).

When I look at the install in the docker container, I get this: ``root@DiskStation:~# docker exec -it DNS-unbound /bin/bash root@DNS-unbound:/opt/unbound# unbound -V Version 1.15.0

Configure line: --disable-dependency-tracking --prefix=/opt/unbound --with-pthre ads --with-username=_unbound --with-ssl=/opt/openssl --with-libevent --with-libn ghttp2 --enable-dnstap --enable-tfo-server --enable-tfo-client --enable-event-ap i Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.1 14 Dec 2021 Linked modules: dns64 respip validator iterator TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound /issues `` From what I see there, the dns64 module appears to be linked in.

Now looking at my Pi information: ``root@Raspberry-Pi-4:~# unbound -V Version 1.15.0

Configure line: --prefix=/usr --sysconfdir=/etc --disable-static --with-libevent=/opt/libevent --with-pidfile=/run/unbound.pid Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1m 14 Dec 2021 Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues``

In regards to the DNS64 module, it looks the same...

So, are we sure this is a compile issue?

mxmartins commented 2 years ago

This article provides a good explanation of DNS64.... http://www.hit.bme.hu/~lencse/publications/STS-2015-DNS64-revised.pdf

I'm no expert on this topic, but one of the things I found in there that stood out is this: Unbound does not provide the DNS64 functionality when it is set up as a forwarder, thus it was tested only as a recursor.

Assuming this is still the case, the issue may be your configuration. But you say it works under other OS, so I'm not sure...

mxmartins commented 2 years ago

When you include the DNS64 commands in the unbound configuration, did you run a configuration check? what errors does the configuration check find?